Windows typically maintains three event log files: application, system, and security. They are generally found in C:\Windows\system32\config.

Each log file consists of a Header record and the Body. The body again consists of Event records, the Cursor record and unused space. The body could form a ring buffer, where the cursor record will mark the border between the oldest and the newest event record. Unused space could be empty, slack and padding.